Results 1 to 6 of 6

Thread: ProviderSignInController and the state parameter to prevent CSRF during OAuth2 dance

  1. Mar 5th, 2012, 03:35 PM #1
    springsource123
    springsource123 is offline Junior Member
    Join Date
    Mar 2012
    Posts
    2

    Default ProviderSignInController and the state parameter to prevent CSRF during OAuth2 dance

    Facebook authentication documentation (Last section in http://developers.facebook.com/docs/authentication/) indicates that a state parameter should be passed through and validated during the OAuth2 dance as a security precaution.

    I don't see that the ProviderSignInController accomplishes this. Is this ability built into spring social? If yes, how do I configure it to send and confirm the state parameter. If not, how do I minimally accomplish it (and will a future release provide this functionality)?

    Thanks in advance for the replies.
    Reply With Quote Reply With Quote
  2. Mar 6th, 2012, 08:58 AM #2
    habuma
    habuma is offline Senior Member
    Join Date
    Aug 2004
    Posts
    1,067

    Default

    Your correct in saying that Spring Social's controllers do not directly support this. I've created https://jira.springsource.org/browse/SOCIAL-299 to track this work. Thanks for bringing this to my attention.

    Note that the connection and sign-in controllers are generic and support providers other than Facebook. Therefore, this is not a simple matter of sending state and then comparing in after the redirect. If I were to naively implement it that way, then connection flows for providers who do not support this mechanism would fail. Therefore, I'll need to set aside some time to see what, if any, CSRF protection other providers offer and design the work such that it provides protection for those who do support it and flows freely for those who don't.
    Craig Walls
    Spring Social Project Lead
    Reply With Quote Reply With Quote
  3. Mar 6th, 2012, 09:30 AM #3
    springsource123
    springsource123 is offline Junior Member
    Join Date
    Mar 2012
    Posts
    2

    Default

    Thank you for your response, Craig.
    Reply With Quote Reply With Quote
  4. Apr 12th, 2012, 03:59 AM #4
    karpaczio
    karpaczio is offline Member
    Join Date
    Jan 2010
    Posts
    30

    Default

    Any updates on this ?
    Reply With Quote Reply With Quote
  5. Apr 12th, 2012, 05:59 AM #5
    habuma
    habuma is offline Senior Member
    Join Date
    Aug 2004
    Posts
    1,067

    Default

    I'm sorry to say that I've not had a chance to attack this yet. It's still on the roadmap for the next milestone release, though. Once I break away from some other tasks that are on my plate, I'll get started on this one.
    Craig Walls
    Spring Social Project Lead
    Reply With Quote Reply With Quote
  6. Jun 4th, 2012, 09:20 AM #6
    aashish
    aashish is offline Junior Member
    Join Date
    Jun 2012
    Posts
    1

    Default

    Hi
    I am also stuck at the same issue. I need to implement the state parameter through Spring social for FB.
    It seems we need to just add the "state" in ConnectSupport.getOAuth2Parameters method (after we set the scope parameter) where the Oauth2Parameters are set.
    Please let us know when we can get this fix/ feature.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules